Online Help

SafeNet Trusted Access for Citrix NetScaler Gateway

Overview

Configuring SafeNet Trusted Access for Citrix NetScaler Gateway is a three-step process:

1.Citrix NetScaler Gateway setup

2.SafeNet Trusted Access setup

3.Verify authentication

Citrix NetScaler Gateway Setup

As a prerequisite, download the Identity Provider signing certificate from the SafeNet Trusted Access console by clicking on the Download X.509 certificate button. You will need this certificate in one of the steps below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Citrix NetScaler Gateway:

1.Install the Identity Provider certificate

2.Create the authentication server

3.Create the authentication policy

4.Assign the SAML policy to Citrix NetScaler Gateway

Install the Identity Provider Certificate

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in Citrix NetScaler Gateway:

1.Log in to the Citrix NetScaler Gateway administrator account using the https://<domain name> URL.

2.On the Configuration tab, perform the following steps:

a.In the left pane, click Traffic Management > SSL > Certificates > CA Certificates.

b.In the right pane, under CA Certificates, click Install.

3.In the Install CA Certificate window, perform the following steps:

a.In the Certificate-Key Pair Name field, enter a name for the certificate.

b.Under Certificate File Name, select local.

c.Search for and select the Identity Provider signing certificate that you downloaded earlier from the SafeNet Trusted Access console.

Note:  For Citrix NetScaler Gateway v11.0, navigate to Traffic Management > SSL > Certificates and in the right pane, click Install Certificate.

Create the Authentication Server

Perform the following steps to create the authentication server:

1.From the Citrix NetScaler Gateway administrator console, on the Configuration tab, perform the following steps:

a.In the left pane, click NetScaler Gateway > Policies > Authentication > SAML.

b.In the right pane, under SAML, click the Servers tab and then click Add.

2.In the Create Authentication SAML Server window, perform the following steps:

a.In the Name field, enter a name for the server.

b.In the IDP Certificate Name field, select the IDP certificate that you installed earlier in step 3 of Install the Identity Provider Certificate.

c.In the Redirect URL field, enter the SingleSignOnService URL that is provided on the SafeNet Trusted Access console. You can copy this URL by clicking the Copy to Clipboard icon available next to the SingleSignOnService field.

d.In the Issuer Name field, enter the Citrix NetScaler Gateway virtual server URL.

e.Click More.

f.Under Signature Algorithm, select RSA-SHA256.

g.Under Digest Method, select SHA256.

h.Click Create.

3.Click Create.

Create the Authentication Policy

Perform the following steps to create the authentication policy:

1.On the Citrix NetScaler Gateway administrator console, click the Configuration tab, and then perform the following steps:

a.In the left pane, click NetScaler Gateway > Policies > Authentication > SAML.

b.In the right pane, under SAML, on the Policies tab, click Add.

2.In the Create Authentication SAML Policy window, complete the following fields, and then click Create.

Field Value to be Set
Name Enter a name for the policy (for example, samlpolicy).
Server Select the server (for example, samlserver) that you created earlier in step 2 of Creat the Authentication Server.
Expression Enter the logical expression that you want to use (for example, ns_true).

Assign the SAML Policy to Citrix NetScaler Gateway

1.On the Citrix NetScaler Gateway administrator console, on the Configuration tab, perform the following steps:

a.In the left pane, click NetScaler Gateway > Virtual Servers.

b.In the right pane, under NetScaler Gateway Virtual Servers, select the virtual server to which you want to assign the SAML policy.

c.Click Edit.

2.On the VPN Virtual Server window, under Basic Authentication, click .

3.On the Choose Type window, complete following fields, and then click Continue:

Field Value to be Set
Choose Policy Select SAML.
Choose Type Select Primary.
 

4.Under Policy Binding, in the Select Policy field, click .

5.In the Policies window, select the authentication policy that you created earlier in step 2 of Create the Authentication Policy, and then click Select.

6.On the Choose Type window, click Bind.

7.Click Done.

8.On the Citrix NetScaler Gateway administrator console, on the top right-side corner, click to save the configuration.

9.Log in to the Citrix NetScaler Gateway command line interface as a root user and perform the following steps:

a.Run Shell to enter into the Shell prompt.

b.In the Shell prompt, run nsapimgr_wr.sh -ys call=ns_saml_sign_verify_new

Note:  Add nsapimgr_wr.sh -ys call=ns_saml_sign_verify_new to /nsconfig/rc.netscaler to persist across reboots. You need to run this command to avoid bug #707237. Due to this bug, assertion verification may fail during the SAML authentication. This affects Citrix NetScaler Gateway v12.0.56 and v12.0.57.

The workaround command nsapimgr_wr.sh -ys call=ns_saml_sign_verify_new must be added to /nsconfig/rc.netscaler to persist across reboots. For this, navigate to /nsconfig and execute the following command:
echo nsapimgr_wr.sh -ys call=ns_saml_sign_verify_new >> rc.netscaler

Verify that this line is added by using cat -v rc.netscaler.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in Citrix NetScaler Gateway, the second step is to activate the Citrix NetScaler Gateway application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the Citrix NetScaler Gateway application that you added previously is currently in inactive state by default. To configure and activate this application, click the application (for example, Citrix NetScaler Gateway) and proceed to the next step.

2.Under STA Setup, in the VIRTUAL SERVER NAME OR IP ADDRESS field, enter the Citrix NetScaler Gateway virtual server name or IP address.

 

3. Click Save Configuration to save the details and activate the Citrix NetScaler Gateway application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the Citrix NetScaler Gateway URL, https://<domainName>.yourcompany.com, where <domainName> is the name of your organization that you registered in Citrix NetScaler Gateway. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Citrix NetScaler Gateway user portal after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the Citrix NetScaler Gateway application icon, you should be redirected to the Citrix NetScaler Gateway user portal after authentication.

 

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.